Share this story

The outcome of the 2016 presidential election is history. But allegations of voter fraud, election interference by foreign governments, and intrusions into state electoral agencies' systems have since cast a pall over the system that determines who makes the laws and enforces them in the United States. Such problems will not disappear no matter what comes out of a presidential commission or a Congressional hearing.

"Amazon will not go out of business because one percent of its transactions are fraudulent," said David Jefferson, a visiting computer scientist at Lawrence Livermore National Laboratory and chairman of the Verified Voting Foundation, a non-governmental organization working toward accuracy, integrity, and verifiability of elections. "That's not the case for elections."

Jefferson's words came during his talk at the latest edition of DEFCON, the annual infosec event. Election hacks naturally became something of an overarching theme within the Caesar's Palace convention center this summer. In fact, there was an entire room dedicated solely to testing the reliability of US electronic voting systems. Called "Voting Village," the space was filled with more than 25 pieces of electoral hardware—voting machines and other electronic election-management equipment—in various stages of deconstruction. Any curious conference attendee, no matter where they fell within the conference's wide technical skill spectrum, could contribute to the onslaught of software and hardware hacks targeting the machines in this de facto lab.

The results were sobering. By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems…The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours.

The report published on October 10. Less than a month later, another election day is upon us here in the US. There isn't much reason to be more confident in electoral systems this year, either.

A recent history of electronic voting

Taking your best Mr. Robot-style hack-fu to the US electoral system wasn't always possible, of course. It was the outcome of another bitterly fought election—in 2000, between George W. Bush and Albert Gore—that drove the US to legislate the adoption of new technologies for voting. The shift was supposed to restore faith in the electoral system after swaths of the voting public had butterfly ballot nightmares. But the Help America Vote Act of 2001 (HAVA), which funded the creation of the Election Assistance Commission and the adoption of electronic voting systems by state and local governments, instead introduced a whole new set of uncertainties to our election systems.

Use-or-lose funding and a loose patchwork of standards led to early issues, and many of these problems are still there. One of the biggest culprits is the fact that the voting security standards, as set by the Election Assistance Commission, are still voluntary. Some systems therefore continue to run vulnerable operating systems or other technologies that are demonstrably vulnerable. And even when systems have been determined to be vulnerable, they remain in use for a long time—largely because the money used to buy them in the first place is long gone.

Further Reading

That's not to say that electronic voting is inherently a bad idea. Worldwide, electronic voting has caught on in places like Switzerland, Spain, Brazil, Australia, India, and Canada, for instance. US elections are complex undertakings—particularly primaries, where ballots vary both by party and a voter's residence—and part of the intent of HAVA was to make ballots more accessible to people with disabilities who may have struggled with a mechanical or paper punch system (like those infamous butterfly ballots). Electronic systems also make vote counting and reporting somewhat less prone to human error and outright fraud by eliminating the human clerical steps involved in elections.

But while electronic voting systems may make it easier to run elections, they introduce a host of new problems—not just those high-tech headaches from DEFCON, but even the basic issue of trust.

"They're voting computers," said Matt Blaze, associate professor of computer and information science at the University of Pennsylvania and a researcher focused on computer security and cryptography. "So understanding what they do is as easy or as hard as understanding what a computer does." Whether or not we believe that the companies making electoral systems are capable of building reliable computer systems "is actually kind of central to whether we regard the government we have as being legitimately elected," Blaze concluded.

Broward County Canvassing Board Member Judge Robert Rosenberg (L) shows a ballot to an unidentified observer at the Broward County Courthouse in Ft. Lauderdale, Florida in November 2000. This is why we can't have nice things.

Getty Images

Trustworthy computing?

"The question that the electronic voting community has asked is 'Are [electronic voting] machines better against this traditional threat than the paper systems we knew before?'" Blaze said during his DEFCON presentation. "The answer to that question is and has been mostly 'no.'"

In previous examinations of electronic tabulation systems, known in the industry as Direct Recorder Electronic (DRE) voting machines, Blaze said researchers largely found "horrific" vulnerabilities. "We were literally limited only by our typing speed in writing them down," he said. "You open the box, and they hit you in the face." Some of those vulnerabilities were documented by Blaze and other researchers as part of the 2007 California Top-To-Bottom Review and Ohio EVEREST Review.

While there has been some consolidation in the voting systems market over the past decade, DRE machines remain vulnerable in 2017 largely because they rely on antiquated, general-purpose technologies that are rarely updated. And while vendors proclaim their systems to be secure, the accuracy of those claims depends a great deal on how "secure" is defined.

Further Reading

"When someone asks you to determine 'are these things secure?' the first question you should ask is 'What does secure mean?'" Blaze said. In voting, he suggests a secure goal is that each person can only vote once and that fraudulent votes can't be cast—either through "ballot stuffing" with nonexistent voters' ballots, the practice of selling votes, or by administrators changing others' votes. These are the concerns the traditional threat model of election systems has focused on: stopping cheating in elections.

The National Institute of Standards and Technology (NIST) Election Cybersecurity Working Group is making an effort to improve standards for security in collaboration with the Election Assistance Commission. But Joshua Franklin, an IT security engineer at NIST who serves as co-chair of the working group, described the challenges in getting states and counties to adopt such voluntary guidance in full.

"These systems only get one to five updates over their lifecycle," Franklin explained. And those updates are hard to deploy—one update required electoral officials to receive PC-MCIA cards "to install a replacement for an X.509 certificate that had expired in 6,000 machines," he said.

Today, the US electoral system has become highly dependent on technology built on systems that few people put in charge understand. The fundamental weaknesses of decade-old Internet software and operating systems are part of the foundation of America's electoral process, and they're ripe for disruption or manipulation. It means an entirely different threat model has to emerge—"secure" may now mean something totally different from the traditional approach.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

What's with all the labels that say "THIS IS NOT A CAMERA"? The one on the inside of the machine is especially odd.

Edit: after doing some searching, it appears "THIS IS NOT A CAMERA" is a DEFCON meme, and people place these labels on everything (including actual cameras). That makes more sense than my assumption, which was that these machines came from the manufacturer with those labels.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

Imagine if hardware stores decided to start selling lacquer thinner out of an open barrel with a ladle, instead of in sealed metal cans like they do now. And we find that a growing number of hardware stores get destroyed by fire as they continue this practice.

Wouldn't you think they'd stop doing that and go back to a system that isn't so prone to catastrophic failure?

Not included in this article is the incredibly fractured nature of US election systems. From a security perspective, this makes it hard for a single vulnerability to cause problems universally. Assuming you start from a reasonably secure point, such heterogeneity is a positive. But when everything starts out woefully insecure, it becomes a serious downside. Because that's a million different unique ways stuff is broken, and there's no easy way to make universal improvements.

On a related note, I've acted as an Election judge for the past several major elections. I seem to be in a place doing things decently well. The 2016 election saw voter registration and sign in using electronic records. This allows them to get updates of voters registering in other precincts, last minute corrections, etc. And the votes are tallied by an optical 'ScanTron', and lets the voter know if there are any issues. (can't read, multiple votes for one position, etc) While the paper ballots are hand-filled, they are pretty readable, and avoid the terrible examples I've seen from FL or NY. Tossing in touch-screen voting devices that printed off human-and-machine readable ballots is still a viable way to improve, if you're concerned about issues with voter confusion.

I obviously can't speak to the digital security of the devices in question, though. I probably don't want to think about that.

Iowa (home of the invention of optical scan technology; yes it is, it was invented at U-Iowa by Professor Lindquist; prior systems used electrical transmission through the graphite) has mandated optical scan paper ballots for decades. After a vote, all ballots are collected and held by the state, and random audits are performed to verify both the results (a prerequisite to certification) and to test the hardware.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

NIST has proposed that systems give voters a receipt that gives them a way to verify their vote was included in the final tally

Indeed I expect that the NIST could design a fantastic voting system. Research into voting and authentication and such has produced a lot of really impressive things. Unfortunately the NIST has basically zero influence in this domain nor is anyone willing to spend any money to improve our voting system.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

What I like about our system is the accessibility. Anyone can understand marking and counting bits of paper. You can see for yourself how it works. There's no trusting whatever wizard proclaimed the magic box will faithfully count the votes.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

Considering the JOBS JOBS JOBS mantra I'm sort of surprised no one's made a big push for this

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

Note that Canadian election laws specifically state that this is how votes must be counted for any federal election, so your experience isn't a unique one. They also explicitly prohibit the use of any electronic voting systems for a federal election unless it's approved by the House and Senate first.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

What I like about our system is the accessibility. Anyone can understand marking and counting bits of paper. You can see for yourself how it works. There's no trusting whatever wizard proclaimed the magic box will faithfully count the votes.

We can of course trust the wizard who proclaimed that the people who count ballots will never deliberately or accidentally change the result. Everybody knows that wizard. Great guy. I'm going to have a beer with him after work.

Ballot boxes can be hacked by anyone with a claw hammer and some time so pen-and-paper is hardly an improvement here. Certainly voting machines should absolutely not have much, if any, networking capability.

-Some machines don't output a paper receipt to check that it counted your vote correctly (and even if it does, you can't be sure that it counted your vote for the same candidate that the paper states)

-Even if you get a paper receipt, that you then deposit in a sealed box, the boxes can "mysteriously" disappear, making it impossible to make a paper recount (as it happened in Venezuela)

Demonstrating that you vote went through correctly is absolutely impossible with pen-and-paper since there's no way to verify trustworthiness or competence of the person counting. On the other hand it is possible to create a receipt that can be compared against voting results to verify your vote was counted correctly, without having to expose anyone's votes.

That's why there is an entire system there to check everything's happening as it should. It's not perfect, but we've been doing it a lot longer than these election fraud machines have been around. Newer doesn't necessarily mean better.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

What I like about our system is the accessibility. Anyone can understand marking and counting bits of paper. You can see for yourself how it works. There's no trusting whatever wizard proclaimed the magic box will faithfully count the votes.

We can of course trust the wizard who proclaimed that the people who count ballots will never deliberately or accidentally change the result. Everybody knows that wizard. Great guy. I'm going to have a beer with him after work.

There's no trusting anyone. You can go volunteer or get paid by Elections Canada or one of the parties to take part in the process. Wow! Real democracy with actual participation and everything!

Worth noting that after this conference, Virginia held an emergency meeting and decertified all electronic voting machines without a paper trail. I believe they’re all optical scanners now, which can let you check results.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

You need a bit more. Representatives from each party to guarantee that each ballot goes into the box unaltered. The two then sign off on the ballot count when the ballot closes.

Basically you need multiple eyes watching the process from ballot distribution through counting.

Ballot boxes can be hacked by anyone with a claw hammer and some time so pen-and-paper is hardly an improvement here. Certainly voting machines should absolutely not have much, if any, networking capability.

-Some machines don't output a paper receipt to check that it counted your vote correctly (and even if it does, you can't be sure that it counted your vote for the same candidate that the paper states)

-Even if you get a paper receipt, that you then deposit in a sealed box, the boxes can "mysteriously" disappear, making it impossible to make a paper recount (as it happened in Venezuela)

Demonstrating that you vote went through correctly is absolutely impossible with pen-and-paper since there's no way to verify trustworthiness or competence of the person counting. On the other hand it is possible to create a receipt that can be compared against voting results to verify your vote was counted correctly, without having to expose anyone's votes.

See gmerrick's post. There is absolutely a way to verify that the vote count is done in a fair and trustworthy way, and it's common practice in other countries. The only way that the process he described could really fail is if the independent elections official and the actual candidates (or their representatives, if they choose to have a representative attend) and anybody else attending the count all agreed to fudge the results in favor of a particular candidate, which is... unlikely, to say the least.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

This is exactly what you do at a caucus during the primary season.

Yet despite hand counts being immune to hackers, several states have thrown out the caucus in favor of primaries held at polling stations. Basically the same voting machines that can be hacked to sway the general election are also being used in the primaries to select nominees.

I still remember there was a huge discrepancy between most of the results of the 2016 caucuses vs the primaries, especially on the Democrat side. Sanders dominated the caucuses and yet he lost most of the primaries, and the only excuse the Clinton campaign could use was that his supporters were bullying voters at the caucuses.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

A number of years ago I was paid by one of the Canadian Federal parties to be their representative at a specific poll at a poling station. At the end of the voting day you had the official scrutineers hired by Elections Canada opening each ballot and showing them to the representatives. The scrutineer would say who was marked on the ballot and we would all take tallies. When it came to a problem ballot either we agreed or it was marked as spoiled and put in a separate pile. That way if there was a challenge those ballots could be easily brought out for review.

Considering the millions/billions? of dollars flushed down the toilet with these electronic voting systems, would it not be better to simply spend that same money by hiring more people to have more voting stations and do manual paper counts? At least at the end of the day you get locals paid money and you have an honest count of the ballots.

What I like about our system is the accessibility. Anyone can understand marking and counting bits of paper. You can see for yourself how it works. There's no trusting whatever wizard proclaimed the magic box will faithfully count the votes.

We can of course trust the wizard who proclaimed that the people who count ballots will never deliberately or accidentally change the result. Everybody knows that wizard. Great guy. I'm going to have a beer with him after work.

There's no trusting anyone. You can go volunteer or get paid by Elections Canada or one of the parties to take part in the process. Wow! Real democracy with actual participation and everything!

What? Trust isn't transferable like that. How does my ability to become involved mean that I trust everyone else at every stage in the process? Or does Canada provide resources so that every citizen can personally audit the entire election if they want?

It's not about trust being transferable, and you don't need to trust every single person. The way it's structured in Canada, all you really need to trust is that the candidates involved want to win the election. Those candidates can and do monitor the process directly, so if it was manipulated to favor one party it's a pretty safe bet that the others would immediately call foul.

Ballot boxes can be hacked by anyone with a claw hammer and some time so pen-and-paper is hardly an improvement here. Certainly voting machines should absolutely not have much, if any, networking capability.

Demonstrating that you vote went through correctly is absolutely impossible with pen-and-paper since there's no way to verify trustworthiness or competence of the person counting. On the other hand it is possible to create a receipt that can be compared against voting results to verify your vote was counted correctly, without having to expose anyone's votes.

But there isn't a person alone with the box at any time, the 'voting table' is in a voting location (usually a school) with several other tables next to them, with 3 to 4 randomly selected people in charge of each table, to keep track of the table book (with the people who are registered to vote at that table), check the ID of the voters, etc. Most locations also have people from different parties acting as auditors. At the end of the voting day (usually 4:30pm), each table opens their box and starts the count. You can be sure your vote was counted because several people were on top of it from the moment your table was opened in the morning. It's all very visible and transparent, which does not happen in electronic systems, where your vote can be switched (from a glitch or a hack) in any part of the process. With this pen and paper system, we even have initial results as early as 6:30 - 7:00pm, with final results at 8 - 9pm, in time for the evening news. Changing it to an electronic system would just make it untrustworthy, a black box.

Ballot boxes can be hacked by anyone with a claw hammer and some time so pen-and-paper is hardly an improvement here. Certainly voting machines should absolutely not have much, if any, networking capability.

-Some machines don't output a paper receipt to check that it counted your vote correctly (and even if it does, you can't be sure that it counted your vote for the same candidate that the paper states)

-Even if you get a paper receipt, that you then deposit in a sealed box, the boxes can "mysteriously" disappear, making it impossible to make a paper recount (as it happened in Venezuela)

Demonstrating that you vote went through correctly is absolutely impossible with pen-and-paper since there's no way to verify trustworthiness or competence of the person counting. On the other hand it is possible to create a receipt that can be compared against voting results to verify your vote was counted correctly, without having to expose anyone's votes.

See gmerrick's post. There is absolutely a way to verify that the vote count is done in a fair and trustworthy way, and it's common practice in other countries. The only way that the process he described could really fail is if the independent elections official and the actual candidates (or their representatives, if they choose to have a representative attend) and anybody else attending the count all agreed to fudge the results in favor of a particular candidate, which is... unlikely, to say the least.

I guess its a good thing that neither corruption or the ability to deceive people exists in Canada. Must make magic shows sort of boring, though. Anyway both corruption and the ability to deceive are possible in other places. That's one of the reasons people study election systems to come up with methods that allow us to minimize the degree of trust that must be given to people running the election.

Indeed, I like pen/paper. The audit trail is so easy - how many people voted, how many voting slips do you have. The same, cool. Feed them through a machine for speed and do a hand count as well to verify.

Don't believe the results, you have the slips to go back to.

I guarantee you, when two scoops donnie douchbag loses in 2020 (assuming he isn't impeached or has a jammer), the reps will be totally all about how these systems are rigged/hacked by, uh, Canada or something.

Ballot boxes can be hacked by anyone with a claw hammer and some time so pen-and-paper is hardly an improvement here. Certainly voting machines should absolutely not have much, if any, networking capability.

-Some machines don't output a paper receipt to check that it counted your vote correctly (and even if it does, you can't be sure that it counted your vote for the same candidate that the paper states)

-Even if you get a paper receipt, that you then deposit in a sealed box, the boxes can "mysteriously" disappear, making it impossible to make a paper recount (as it happened in Venezuela)

Demonstrating that you vote went through correctly is absolutely impossible with pen-and-paper since there's no way to verify trustworthiness or competence of the person counting. On the other hand it is possible to create a receipt that can be compared against voting results to verify your vote was counted correctly, without having to expose anyone's votes.

See gmerrick's post. There is absolutely a way to verify that the vote count is done in a fair and trustworthy way, and it's common practice in other countries. The only way that the process he described could really fail is if the independent elections official and the actual candidates (or their representatives, if they choose to have a representative attend) and anybody else attending the count all agreed to fudge the results in favor of a particular candidate, which is... unlikely, to say the least.

I guess its a good thing that neither corruption or the ability to deceive people exists in Canada. Must make magic shows sort of boring, though

I was explaining to you specifically how both of these things are mitigated by the Canadian system - it is designed specifically around the fact that these problems exist, and specifically to minimize the potential for them to occur. Your response is to mock me and pretend that I think they don't exist. That's not very bright.

Quote:

Anyway both corruption and the ability to deceive are possible in other places. That's one of the reasons people study election systems to come up with methods that allow us to minimize the degree of trust that must be given to people running the election.

Right, and the results of that study are what lead to the election laws in Canada placing the requirements that they do on the voting and vote counting process. The results of that study also consistently say that electronic voting machines are a terrible idea and you're still pretty wholeheartedly defending them, which tells me that you either aren't familiar with those studies or else don't care about their actual results.

I guess its a good thing that neither corruption or the ability to deceive people exists in Canada. Must make magic shows sort of boring, though. Anyway both corruption and the ability to deceive are possible in other places. That's one of the reasons people study election systems to come up with methods that allow us to minimize the degree of trust that must be given to people running the election.

That's the thing, with electronic voting, you have to blindly trust the person/company in charge of each step (the software, the machines, the tally, etc), and on top of that it's vulnerable to hacks, wheareas with pen and paper there are several independent eyes (from different parties) on top of each step.

I think we should listen to Tom Scott. Do all voting on paper, with pencils (not pens). Count everything by hand. Non-electronic voting has been beta-tested for centuries, and is likely more secure than anything new we could come up with.

Wrong. Tom does a great job of pointing out the flaws in e-voting systems but it fails entirely to account for the much more significant threat of attack on the backbone structures of registration validation and tabulation services.

As mentioned int he articles, yes if you get access to a machine or sit at a polling place and crack into the systems through wi-fi you might be able to swing a local election in a sufficiently small jurisdiction. But even in very small rural areas you have on the order of tens of polling places deciding most issues. That means getting 10+ people all working together to make sure ralph not bill is elected dog catcher.

Scaled up to state or national levels you're looking at thousands to hundreds of thousands of co conspirators targeting a diverse array of polling places, machines, and weaknesses, even targeting only swing states/districts is an untenable size of conspiracy. The threat is the much larger attack surface of voter rolls, tabulation, reporting, and validation.

Paper ballots do nothing to actually protect these targets. The idea of polling place fraud is a great boogey man but the real threat to fair elections comes with eliminating valid voters from targeted areas and seeing to it that their votes are not counted. The average citizen at their polling place is busy and has waited in line longer than they can probably afford by the time they get in. If the nice retiree behind the table say they can't find their name and hands over a provisional ballot (that will almost definitely not be counted) they will fill it out and trust that the "paperwork" error will be resolved.

A small group of foreign actors attacking voter rolls can undermine the election by spending months before the election attacking un-updated XP machines sitting in election offices around the country. Start crawling facebook or lease data from an aggregator and you can start to attach names with likely political alliance and region and make sure those voters votes never get counted.

Do voting machines need to be more secure certainly, but far more damage can be done with the severe insecurities that plague all of these underfunded governmental offices around the country.

Australia has one of the world's most complex voting systems in the world, with a mix of preferential voting systems and proportional representation. Voting is compulsory, so there are a lot of votes to be tallied.

Voting is done with pencil and paper, and votes are tallied by hand. The result is almost always announced a few hours after polls close.

I really don't see how tallying ballots is a technologically complex problem that needs opaque, potentially flawed voting systems. Just establish clear guidelines for voting and counting standards (developed by an independent voting commission), then have a robust scrutineering process during the process of counting.

It's a problem that is easily solved through proper processes and oversight, not through fancy technology. With those processes, a paper ballot works just fine. Without those processes, you can throw all the technology you want at the problem, and still have a problematic outcome.

Every dollar currently spent on voting machines should be spent on building more robust organizations to develop and enforce proper processes for conducting elections (i.e. an independent electoral commission). Then use cheap, low-fi technology in accordance with those processes.

Population isn't an excuse for not looking at worlds-best-practice processes either - voting scales linearly. You just need to tally up the votes for the local electorate and send them to head office for aggregation. It doesn't matter if you have 100 electorates or a 10000, the complexity of the task scales linearly.